The Age Verification Trap: Verifying age undermines everyone's data protection

I don't get the alcohol analogy as in most places it's 100% legal for minors to consume alcohol in the home with parental permission in the USA. In public it's a different story.

I‘m not too knowledgeable about this, but couldn’t you just provide a government issued key to every citizen and give a service provider that key and it‘s only valid if you’re above a certain age?

A lot of talk and no solutions. Exactly the reason we are where we are.

Liquor stores, bars, strip clubs, adult bookstores, or similar businesses don't let kids in. Movie theatres don't let a 10 year old in to an R-rated movie. The tech industry ignored their social responsibility to keep kids away from adult and age-inappropriate content. Now, they are facing legal requirements to do so. Tough for them, but they could have been more proactive.

Isn't clear whether the paradox is biometric verification or ID data collection.

If there's only a centralized system that uses digital IDs to hand off providers only a "yay" or "nay"...

This thread is gonna be full of HN users blaming the parents for a systemic problem isn’t it?

Yup.

Everything is a trade off in the world. I think that people who are anti-id ignore this but for me personally it’s harder and harder to accept the trade offs of an internet without id. AI has only accelerated this, I don’t want to live in a world where the average person unknowingly interacts with bots more than other individuals and where black market actors can sway public opinion with armies of bots.

I think most people are aligned here, and that an internet without identification is inevitable whether we like it or not.

the companies pushing hardest for age verification are the same ones whose business model depends on knowing exactly who you are. the child safety framing is convenient cover for a data collection problem they were already trying to solve.

It’s the same as scanning for CSAM, or encryption-backdoors “to catch criminals”.

Of course we hate child abuse.

Of course we hate criminals.

Of course we hate social media addicting our kids.

But they’re just used as emotional framing for the true underlying desire: government surveillance.

(For the record: I am not into conspiracy theories; the EU has seen proposals for - imho technically impossible - “legally-breakable encryption” alone in 2020, 2022, and 2025; now we”ll also see repeated attempts at the “age verification” thing to force all adults to upload their IDs to ‘secure’ web portals)

I am so surprised by the comments on this thread. I was not expecting to see so many people on Hacker News in favor of this. As is typically the case with things like this, the reasoning stems from agreeing with the goal of age verification, with little regard to whether age verification could ever actually work. It reminds me in some sense to the situation with encryption where politicians want encryption that blocks "the bad guys" while still allowing "the good guys" to sneak in if necessary. Sure, that sounds cool, it's not possible though. I suppose DRM is a better analogue here, an increasingly convoluted system that slowly takes over your entire machine just so it can pretend that you can't view video while you're viewing it.

To be clear, tackling the issue of child access to the internet is a valuable goal. Unfortunately, "well what if there was a magic amulet that held the truth of the user's age and we could talk to it" is not a worthwhile path to explore. Just off the top of my head:

1. In an age of data leaks, identity theft, and phishing, we are training users to constantly present their ID, and critically for things as low stakes as facebook. It would be one thing if we were training people to show their ID JUST for filing taxes online or something (still not great, but at least conveys the sensitivity of the information they are releasing), but no, we are saying that the "correct future" is handing this information out for Farmville (and we can expect its requirement to expand over time of course). It doesn't matter if it happens at the OS level or the web page level -- they are identical as far as phishing is concerned. You spoof the UI that the OS would bring up to scan your face or ID or whatever, and everyone is trained to just grant the information, just like we're all used to just hitting "OK" and don't bother reading dialogs anymore.

2. This is a mess for the ~1 billion people on earth that don't have a government ID. This is a huge setback to populations we should be trying to get online. Now all of a sudden your usage of the internet is dependent on your country having an advanced enough system of government ID? Seems like a great way for tech companies to gain leverage over smaller third world companies by controlling their access to the internet to implementing support for their government documents. Also seems like a great way to lock open source out of serious operating system development if it now requires relationships with all the countries in the world. If you think this is "just" a problem of getting IDs into everyone's hands, remember that it a common practice to take foreign worker's passports and IDs away from them in order to hold them effectively hostage. The internet was previously a powerful outlet for working around this, and would now instead assist this practice.

3. Short of implementing HDCP-style hardware attestation (which more or less locks in the current players indefinitely), this will be trivially circumvented by the parties you're attempting to help, much like DRM was.

Again, the issues that these systems are attempting to address are valid, I am not saying otherwise. These issues are also hard. The temptation to just have an oracle gate-checker is tempting, I know. But we've seen time and again that this just (at best) creates a lot of work and doesn't actually solve the problem. Look no further than cookie banners -- nothing has changed from a data collection perspective, it's just created a "cookie banner expert" industry and possibly made users more indifferent to data collection as a knee-jerk reaction to the UX decay banners have created on the internet as a whole. Let's not 10 years from now laugh about how any sufficiently motivated teenager can scan their parent's phone while they're asleep, or pay some deadbeat 18 year-old to use their ID, and bypass any verification system, while simulateneously furthering the stranglehold large corporations have over the internet.

I wonder how much time we have before being asked to enter the government issued ID in a card reader so websites can read age and biometric data from the chip.

That’s the point: enable mass surveillance and thee loss of privacy under the guise of another cause, usually “protecting the children”.

Hence why Illinois has already mame it illegal.

It's amazing how much it's possible to foment arguments against something if you are very well funded and a regulation will cost your industry a lot of money.

Age verification is a good thing. Giving children unrestricted access to hardcore pornography is bad for them. Whatever arguments you want to make, fundamentally this is true.

parents: won't somebody else put some rules and safeguards in place to protect my children?

I feel like the ending undermines the whole piece. Throwing your hands up and going "we should do nothing" isn't really a solution. If a compromise exists I think it's adding age requests on device setup. There wouldn't be any verification but it could be used as a way to limit access to content globally. Content provides would just need a simple API to check if the age range fits and move right along.

This puts more onus on parents and guardians to ensure their child's devices are set up correctly. The system wouldn't be perfect and people using something like Gentoo would be able to work around it, but I think it helps address the concerns. A framework would need to be created for content providers to enforce their own rating system but I don't think it's an impossible task. It obviously wouldn't cover someone not rating content operating out of Romania, but should be part of the accepted risk on an open internet.

Personally I do agree with the "do nothing" stance, but I don't think it's going to hold up among the wider public. The die is cast and far too many average people are supporting moves like this. So the first defense should be to steer that conversation in a better way instead of stonewalling.

Imagine an OIDC type solution but for parents might work here.

Basically, kids can sign up for an account triggering a notification to parents. The parent either approves or rejects the sign in. Parents can revoke on demand. See kids login usage to various apps/services. Gets parental restrictions in the login flow without making it a PITA.

Isn't this the same debate as airports post 9/11, whether you can have both privacy and security? Seems conclusive, no.

My main takeaway from this is that politicians seem to have given up on making "social media" less harmful by regulating it, and instead focus on gatekeeping access, with the added perk of supplying security services and ad tyrants with yet another data pump.

All adults proof their identify multiple times per month: Every time they access digital health records, or when they use any electronic payment.

Just make Google/Apple reveal part of that data (age > x years) to websites and apps.

Boom, done. Privacy guarded. Easy.

(thats the point)

It's just another way to surveil the population and won't cause any real problems for anyone who can work around it.

I think this should work like OpenID connect but with just a true/false.

PS = pr0n site

AV = age verification site (conforming to age-1 spec and certified)

  PS: Send user to AV with generated token
  AV: Browser arrives with POST data from PS with generated token
  AV: AV specific flow to verify age - may capturing images/token in a database. May be instant or take days

  AV: Confirms age, provides link back to original PS
  PS: Requests AV/status response payload:

  {
    "age": 21,
    "status": "final"
  }

I don't know if this is already the flow, but I suspect AV is sending name, address, etc... All stuff that isn't needed if AV is a certified vendor.

All of my kids devices are identified, at device level, as children's devices. They could've trivially exposed this as metadata to allow sites to enforce "no under 18" use. However, I'd disagree that my bigger concern for my kids isn't that they'd see a boob or a penis, but that they'd see an influencer who'd try to radicalize them to some extremist cause, and that's usually not considered 18+ content.

And either way, none of that requires de-anonymizing literally everyone on the internet. I'd be more than happy to see governments provide cryptographically secure digital ID and so that sites can self-select to start requiring this digital ID to make moderation easier.

zero knowledge cryptography solves this

I don't see why platforms would have to store the data indefinitely.

Once you are verified, you just flip a bit "verified" in the database and delete all identification data.

No reason to store the data indefinitely

"Think of the children" is merely a political argument to get a law to be popular among normal people.

Big Tech refused to work together to implement a age flag that parents would setup on the children device, now we get each European and each USA state with their own special rules.

this is a broader parenting problem, the state doesn't need to do this

politicians are interested in it because they're begging for some way to censor the internet, which would actually be even worse for parenting because now it prevents children from ever learning to be responsible with these highly addictive platforms

That was the goal.

I can understand the need to restrict some stuff kids can see, like when I was a teen it me hours and hours to download one 2 minute porn clip from kazaa, but these days you could download a lifetime worth in one weekend. That can't be healthy.

That being said nothing about these laws is about protecting children; their primary purpose is to crack down on the next Just Stop Oil or Palestine Action so for that reason should be opposed.

It's to continue the culture of bullying and lack-of-accountability by and for the perversely rich oligarchy.

For you'll need to be accounted while they do the counting.

If government is concerned shouldn't government just deliver auth based on birth certificate for everyone to use?

In most countries is illegal for small children to drive or to use fire arms. And it's their parents job to not let them to.

Instead of requiring IDs, we should let parents manage what their children do online.

Same people who are on Epstein files wants to protect children?

My new comment

30 years of internet were possible with relative freedom, without spying and surveillance. All of the sudden it's not possible.

Governments recycle "Think of the children" mantra and they are again after terrorists and bad guys.

if you are paying for internet access you have to be over 18, no?

and if you have internet access without paying, that means someone else is legally responsible for your access

"problem solved" ?

I have a problem with an open internet and allowing open access to everything the internet can offer to young children.

It cannot be a friction-less experience. Allowing children to see gore and extreme porn at a young age is not healthy. And then we have all the "trading" platforms (gambling).

Even though my brothers were able to get many hard drugs when I was young, around 1977, there was a lot of friction. Finding a dealer, trusting them, etc. Some bars would not card us but even then there was risk and sometimes they got caught. In NY we could buy cigarettes, no friction, and the one drug I took when I was young, addicted to them at 16, finally quitting for good at 20. I could have used some friction there.

So how do we create friction? Maybe hold the parents liable? They are doing this with guns right now, big trial is just finishing and it looks like a father who gave his kid an ak47 at 13 is about to go to jail.

I would like to see a state ID program when the ID is just verified by the State ID system. This way nothing needs to be sent to any private party. Sites like Discord could just get a OK signal from the state system. They could use facial recognition on the phone that would match it with the ID.

Something needs to be done however. I disagree that the internet needs to be open to all at any age. You do not need an ID to walk into a library, but you need one to get into a strip club. I do not see why that should not be the same on the internet.

Corporate interests don’t care about data privacy or security they care about liability and compliance which are not the same thing.

Major banks and government institutions can’t even be bothered to implement the NIST password guidelines. If they got their gdpr soc2 fedramp whatever it’s green lights and the rest is insurance.

The point is to undermine data protection; this debate is useless. It's a question about power and control, not a technical one. The people lobbying for this don't care about children, and neither are they getting big support from a constituency clamoring for this. This is an intelligence initiative, and a donor initiative from people who are in a position to control the platform (all computing and communications) after it is locked down.

It's not even worth talking about online. There's too much inorganic support for the objectives of nation-states and the corporations that own them.

Legislation has been advanced in Colorado demanding that all OSes verify the user's age. It will fail, but it will be repeated 100 times, in different places, smuggled attached to different legislation, the process and PR strategies refined and experimented with, versions of it passed in Australia, South Korea, maybe the UK and Europe, and eventually passed here. That means that "general purpose" computing will be eventually be lost to locked bootloaders.

https://www.pcmag.com/news/colorado-lawmakers-push-for-age-v...

[edit: I'm an idiot, they already passed it in California https://www.hunton.com/privacy-and-cybersecurity-law-blog/ca...]

And it will be an entirely engineered and conscious process by people who have names. And we will babble about it endlessly online, pretending that we have some control over it, pretending that this is a technical discussion or a moral discussion, on platforms that they control, that they allow us to babble on as an escape valve. Then, one day the switch will flip, and advocacy of open bootloaders, or trading in computers that can install unattested OSes, will be treated as organized crime.

All I can beg you to do is imagine how ashamed you'll be in the future when you're lying about having supported this now, or complaining that you shouldn't have "trusted them to do it the right way." Don't let dumb fairytales about Russians, Chinese, Cambridge Analytics and pedophile pornography epidemics have you fighting for your own domination. Maybe you'll be the piece of straw that slows things down just enough that current Western oligarchies collapse before they can finish. Maybe we'll get lucky.

Polls and ballots show that none of this stuff has majority organic support. But polls can be manipulated, and good polls have to be publicized for people to know they're not alone, and not afraid they're misunderstanding something. If both candidates on the ballot are subverted, the question never ends up on the ballot.

The article itself says nothing that hasn't been said before, and stays firmly under the premise that access to content online by under-18s is suddenly one of the most critical problems of our age, rather than a sad annoyance. What is gained by having this dumb discussion again?

It's crazy to me that we want to force age verification on every service across the Internet before we ban phones in school. I could understand being in favor of both, or neither, but implementing the policy that impacts everybody's privacy before the one that specifically applies within government-run institutions is just so disappointingly backwards it's tempting to consider conspiracy-like explanations.

The advantage, I think, of age verification by private companies over cellphone bans in public schools is that cellphone bans appear as a line-item on the government balance sheet, whereas the costs of age verification are diffuse and difficult to calculate. It's actually quite common for governments to prefer imposing costs in ways that make it easier for the legislators to throw up their hands and whistle innocently about why everything just got more expensive and difficult.

And the argument over age verification for merely viewing websites, which is technically difficult and invasive, muddles the waters over the question of age verification for social media profiles, where underage users are more likely to get caught and banned by simple observation. The latter system has already existed for decades -- I remember kids getting banned for admitting they were under 13 on videogame forums in the '00s all the time. It seems like technology has caused people to believe that the law has to be perfectly enforceable in order to be any good, but that isn't historically how the law has worked -- it is possible for most crimes to go unsolved and yet most criminals get caught. If we are going to preserve individual privacy and due process, we need to be willing to design imperfect systems.

As a parent, I'm happy that social bans are finally a thing.

But, I don't get the approach. It's not like social media starts being a positive in our life at 20. The way these companies do social media is harmful to mental health at every age. This is solving the wrong problem.

The solution is to take away their levers to make the system so addictive. A nice space to keep in touch with your friends. Nothing wrong with that.

I'm going to state that at one point I was one of the young people this kind of legislation is meaning to protect. I was exposed to pornography at too young an age and it became my only coping mechanism to the point where as an adult it cost me multiple jobs and at one point my love life.

I don't think this legislation would have helped me. I found the material I did outside of social media and Facebook was not yet ubiquitous. I did not have a smartphone at the time, only a PC. I stayed off social media entirely in college. Even with nobody at all in my social sphere, it was still addicting. There are too many sites out there that won't comply and I was too technically savvy to not attempt to bypass any guardrails.

The issue in my case was not one of "watching this material hurt me" in and of itself. It was having nobody to talk to about the issues causing my addiction. My parents were conservative and narcissistic and did not respect my privacy so I never talked about my addiction to them. They already punished me severely for mundane things and I did not want to be willingly subjected to more. To this day they don't realize what happened to me. The unending mental abuse caused me to turn back to pornography over and over. And I carried a level of shame and disgust so I never felt comfortable disclosing my addiction to any school counselors or therapists for decades. The stigma around sexual issues preventing people from talking about them has only grown worse in the ensuing years, unfortunately.

At most this kind of policy will force teenagers off platforms like Discord which might help with being matched with strangers, but there are still other avenues for this. You cannot prevent children from viewing porn online. You cannot lock down the entire Internet. You can only be honest with your children and not blame or reproach them for the issues they have to deal with like mine did.

In my opinion, given that my parents were fundamentally unsafe people to talk to, causing me to think that all people were unsafe, then the issue of pornography exposure became an issue. In my case, I do not believe there was any hope for me that additional legislation or restrictions could provide, outside of waking up to my abuse and my sex addiction as an adult decades later. Simply put, I was put into an impossible situation, I didn't have any way to deal with it as a child, and I was ultimately forsaken. In life, things like those just happen sometimes. All I can say was that those who forsook me were not the platforms, not the politicians, but the people who I needed to trust the most.

I believe many parents who need to think about this issue simply won't. The debate we're having here on this tech-focused site is going to pass by them unnoticed. They're not going to seriously consider these issues and the status quo will continue. They won't talk with their children to see if everything's okay. I don't have many suggestions to offer except "find your best family," even if they aren't blood related.

"In cases when regulators demand real enforcement rather than symbolic rules, platforms run into a basic technical problem. The only way to prove that someone is old enough to use a site is to collect personal data about who they are."

These so-called "platforms" already collect data about who people are in order to facilitate online advertising and whatever else the "platform" may choose to do with it. There is no way for the user to control where that data may end up or how it may be used. The third party can use the data for any purpose and share it with anyone (or not). Whether they claim they do or don't do something with the data is besides the point, their internal actions cannot be verified and there are no enforceable restrictions in the event a user discovers what they are doing and wants to stop them (at that point it may be too late for the user anyway)

"Tech" journalists and "tech bros" routinely claim these "platforms" know more about people than their own families, friends and colleagues

That's not "privacy"

Let's be honest. No one is achieving or maintaining internet "privacy" by using these "platforms", third party intermediaries (middlemen) with a surveillance "business model", in order to communicate over the internet

On the contrary, internet "privacy" has been diminishing with each passing year that people continue to use them

The so-called "platforms" have led to vast repositories of data about people that are used every day by entities who would otherwise not be legally authorised or technically capable of gathering such surveillance data. Most "platform" users are totally unaware of the possibilities. The prospect of "age verification" may be the wake up call

"Age verification" could potentially make these "platforms" suck to a point that people might stop using them. For example, it might be impossible to implement without setting off users' alarm bells. In effect, it might raise more awareness of how the vast quantity of data about people these unregulated/underregulated third parties collect "under the radar" could be shared with or used by other entities. Collecting ID is above the radar and may force people to think twice

The "platforms" don't care about "privacy" except to control it. Their "business model" relies on defeating "privacy", reshaping the notion into one where privacy from the "platform" does not exist

Internet "privacy" and mass data collection about people via "platforms" are not compatible goals

"... our founders displayed a fondness for hyperbolic vilification of those who disagreed with them. In almost every meeting, they would unleash a one-word imprecation to sum up any and all who stood in the way of their master plans.

"Bastards!" Larry would exclaim when a blogger raised concerns about user privacy."

- Douglas Edwards, Google employee number 59, from 2011 book "I'm feeling lucky"

If a user decides to stop using a third party "platform" intermediary (middleman) that engages in data collection, surveillance and ad services, for example, because they wish to avoid "age verification", then this could be the first step toward meaningful improvements in "internet privacy". People might stop creating "accounts", "signing in" and continuing to be complacent toward the surreptititious collection of data that is subsequently associated with their identity to create "profiles"

[dead]

[dead]